Information security awareness system

ABSTRACT

A computer system for providing security awareness in an organization, comprises: a memory means, an input device, constituted by a hard disk or Random Access Memory device, a central processo unit connected to the memory means, an input device, constituted by a mouse or keyboard device, and an output device, constituted by a printer or display device. The input device is connected to the central processor unit, for the input of a piece of security information into the computer system for storing the security information in the memory means as an information security object. The output device is connected to the central processor unit for the output of security information. The system further comprises a policy module communicating with the input device and the memory means for the conversion of the piece of security information into the information security object to be stored in the memory means, and a survey module communicating with the memory means and the output means for generating from the information security object an element of a questionnary to be output by means of the output device.

The invention relates to a computer system and a method providing on amodular platform security policy management, security survey, securityeducation, risk analysis and management, incident management and auditfunctions to individuals in an organization. The elements are used alltogether or separately. By utilizing the technique according to theinvention users gain multilanguage security policies and rules, policybased and auto generated surveys, increased security awareness,increased knowledge and ability to impact their actions in a securitycautious way. The organization, e.g. a busines entreprise or company,gain lower cost of developing, maintaining and communicating securitypolicies and rules, increased information security, increased return ofinvestment in existing security technologies and products and reducedrisk of costly security incidents.

The method is operated in two alternative set-up's: 1) in a hostedenvironment in order to provide the defined functions and services. 2)Stand-alone execution runs on servers at business users or businesspartners in order to provide the defined functions and services.

The computer system operates on a standard business style networkedcomputer, for example a server type computer with hard drives, computingpower, memory and input/output devices or the system operates on adedicated computer device with storage capacity, computing power, memoryand input/output devices.

The method and the computer system according to the invention ispreferably implemented using software running on computers. The softwarecontains user interface modules for each of the modules, business logic,persistence, an information security object database as well asinterfaces between the users and the modules and interfaces in betweenthe modules or services.

User Interface to Modules.

The technique according to the invention provides full functionality tousers through an Internet browser, e.g. MS Internet Explorer, Netscape,Mozilla, or Opera.

The Email messages are used to direct users to the appropriate networkaddress accessed by an Internet Browser.

Alternatively, the user interface to the modules is implemented usingstand-alone applications (versus browser based).

Security policy applied to common data security architecture, e.g. U.S.Patent Application 20010018746 which is an architecture allowing usersto generate trust policies independent of the computers they have theresponsibility of managing.

Security management system and security managing method, e.g. U.S.Patent Application 20010023486, which is a database based securitymanagement and security audit system. This invention is about havingusers managing systems.

American vendors Pentasafe and Intellitactics' provide security policymanagement tools or services: One is a product named “Livingpolicy”,another is “Vigilent Policy Manager”. Both also provide simple surveyingfunctions. Yes/No questionnaires which refer to security policyrequirements are known prior to this invention.

Electronically performed surveys with functions which allows a managertype user, e.g. a security manager or e.g. an officer to put in freetext style questions in a number of questionnaires to users are known.

E-learning systems and learning management systems are known. Securitylearning classes, also web based, are known. These classes target systemadministrators, or network administrators or security administrators,and do not target all relevant users in an organisation.

In some organisations or contexts the terms “security instruction”“security rule”, or “security procedure” are used instead or togetherwith of the term “security policy”.

The technique according to the present invention is supporting multiplelanguages both in terms of the software itself and in terms of thecontent elements, e.g. the information security.

The policy module is a tool for security policy management. The users ofthe module use the Policy module to generate and manage a set of easy touse security policies. The content in these policies is re-used in thesurvey module and in the education module.

In this context, the term a “policy” is to be understood as a number ofrecords in the policy table in the Information Security Object database(ISO-DB). The records relate to a specific customer organization andcontain the following content. Object Object Object Content Target groupCategory descriptor Content category and sub category

The Customer is an identifier optionally linking to a separate customertable further optionally linking to a CRM system. The operator (orsuperuser) creates a customer of the customer table of the databaseafter receiving an order or after agreeing to a demonstration for aspecific client.

The Object Category identifies the type of information security objectto which the record relates. It contains text. E.g. does the informationsecurity object impact “computer user behavior”, does it impact only the“IT-department”, or is it about “physical access”. There will typicallybe a number of Information security objects with the same contentcategory. Example: More than one information security object is toregulate the physical access to the customer's information assets.

The Information security object descriptor is the object descriptionitself; it contains a text string or a link to a text string describingthe object. Examples include: “Passwords are required to contain avariety of different character types.” and “Passwords are required tohave a minimum length”. Objects are unique within the customer's policy,and the Manager selects the information security object from lists ofobject templates which content providers define. These lists are storedin tables for Information security object templates. Objects which arenot already in the policy are marked e.g. “Unused”, or “New”, orCustomer specific”.

The Object Content holds the content or the value of the Informationsecurity object. The value is a text string. The Manager chooses thecontent from a list where all entries relate to the Information securityobject. Example: If the Information security object specifies that acertain password length is required, the object content field containsthe exact value, e.g. “eight characters” and the list contains a numberof other content which in some cases are acceptable. In the list, afield named “default security rating” indicates which Object Contentoptions content providers consider the more secure choices.

The Content category describes to which content categories the ISObelongs. Example: “Passwords”, “Computer security”, “Network Access”.

The Target group describes to whom the ISO relates. the number of ISO'swithin Security policies tends to become large. The effect of this valueis reduction of the number of ISO's presented to individual group ofusers.

A superuser ads name of security policy into the information securityobject database (ISO-DB).

-   -   Either a Default security policy is created:    -   Superuser specifies the “default Security level profile” of the        organization.    -   The system queries all information security objects (ISO) which        matches the default security level profile and adds the result        to the information security policy for the organization, hereby        generating a default current security policy.

Or, the ISO's are created by ISO's containing existing text formatsecurity policies, security instructions, or security procedures.

The default security policy is subsequent managed by a management user:Information Security Objects are added, edited or deleted.

Those ISO's not included in the current security policy are listed ase.g. unused objects, making it easy for the management user to see,monitor and review these ISO's deliberately not used in the currentpolicy.

Unused ISO's are made current by a simple selection.

New ISO's—e.g. organizational-specific objects—are added to customer'scurrent policy by the management user entering the required content,e.g. content category, descriptor and value.

New default ISO's are added as the outcome of information securityresearch performed by content providers.

The policies (or the security instructions, procedures etc) arepublished, distributed or communicated to the end users through email,web servers (e.g. Internet, extranet or intranet sites) and not at leastthrough the survey module and the education module.

The users of the policy module are by default and unless otherwisedefined the same throughout all modules.

-   -   Managers, who will typically be customer's security manager or        security officer or consultant or a content provider who        provides a manual policy service to the customer.    -   Superusers, who may be content providers.    -   Users, who will be computer users in the organizations of the        customer.

The following table shows an example of user permissions: User group:Function: Users Managers Superusers Read policy ✓ ✓ ✓ Add policy ✓ ✓Modify policy ✓ ✓ Delete policy ✓ ✓ Read information security objects ✓✓ ✓ Add information security objects ✓ ✓ Modify information securityobjects ✓ ✓ Delete information security objects ✓ ✓ Read object content✓ ✓ ✓ Add object content ✓ ✓ Modify object content ✓ ✓ Delete objectcontent ✓ ✓ Read object content templates ✓ ✓ Add custom object contenttemplates ✓ Modify custom content templates ✓ Delete content templates ✓Acknowledge policy read and ✓ understood Add Comment to Informationsecurity ✓ object and object content Add, invite and delete users ✓ ✓Add, invite and delete managers ✓ Read survey content ✓ ✓ ✓ Add customsurvey content ✓ ✓ Modify custom content templates ✓ ✓ Delete contenttemplates ✓ Initiate surveys ✓ ✓ Answer surveys ✓ Read survey reports ✓✓ Edit survey reports ✓ Read and participate in learning ✓ ✓ ✓ sessionsUpdate lessons ✓ ✓

Display warning when user is trying to modify information securityobjects and object values which are already used in policies and havebeen read by users. Warning should suggest to consider adding a newobject and value instead.

Information security objects and Object Contents are versioned and timestamped at last modification.

For Policy users, yet unread information security objects and objectcontents are marked “New”.

The survey module invites users at specified intervals to answer aquestionnaire regarding general security knowledge and security policyspecific knowledge. Invitations are made on manager's or user's request.Invitation e-mails are sent to users directly from the module to invitedusers or to customer's administrator. Emails contain a direct link (URL)to an online questionnaire relating to the customer and containingsufficient access information for the user to gain access to thequestionnaire. The content of the invitation email is customizable andincludes a default content provided.

The authentication of the survey users is based upon user's ability toreceive an email at the specified email, by user name and password, orby digital certificates, or by LDAP-protocol to an external system or byother authentification method.

The user or users is or are presented to a short privacy policydescription with a link to a wording which comfortingly and clearlydescribes what user data are stored and how the results of the surveywill be used and by whom.

Users choose to respond anonymously resulting in that no personalinformation is stored, but the answers from the individual user areconsolidate in the survey results. This feature provides that themanager chose to allow anonymous answers. Users choosing the anonymousoption will be informed that questions might be repeated in latersurveys and education.

The Survey system logs which users have answered, and a reminder processis initiated for those who did not participate before a deadlinespecified by the Manager. Default reminder is typically 7 days afterfirst invitation email. Users are associated with a number of groupdescriptions to enable grouped reporting and to allow targeted,efficient follow up education.

Users are provided with their score and the right answers immediately.Administrator receives a report which documents the responses andprovides summary to make it easy to identify weak points in securitychain and to educate efficiently in the right places.

The Survey is repeated periodically as requested by the organization.The repetition allows to document the security level development and toadd new components to policy or to awareness program as recommended.

The content of the survey questions and the defined right answers comesfrom a number of question pools. One pool is general knowledge questionsand another is automatically derived from the ISO's.

The module generates survey result reports which are easy to read forpeople without security knowledge in e.g. executive staff or managementas well as for security officers and managers. The reports containgraphically presented survey results documenting e.g. the followingitems:

-   -   Total knowledge score for company compared to average of all        Survey respondents.    -   Total knowledge score for company compared to average in same        business vertical.    -   Historical development in knowledge score with each previous        survey results plotted along a time axis.    -   Total knowledge score grouped by department.    -   Total knowledge score grouped by Policy Categories.    -   Department knowledge score grouped by Object content category.    -   Historical development grouped by department.

The module also generates a report so that individual Users may seetheir own personal security score development chart.

The module supports PGP encrypted emails to administrator, by allowingadministrator to upload public PGP Key.

The lessons contained in the education module are presented to the userswith E-learning lessons in the education module. The lessons are usingcontent from the central security object database.

The lessons which by default are offered to the user depends on theresults from the survey module and upon which ISO content categories theManager has chosen to activate for the customer organization to whichthe user belongs.

The user and the Manager have the option to select and de-select othermodules than offered by default.

E-learning lessons or modules exist for each ISO content category andfor many types of Information security objects.

An e-learning lesson lasts e.g. 20-30 minutes to complete for an averageuser.

The lessons are able to communicate both the generic informationsecurity content and content of the security policies in a motivating,appealing and catching way.

An audit module pulls out selected ISO's as defined by the policy moduleor by other modules. An audit list is generated automatically with allor selected ISO's. Each ISO constitutes a potential control point. Foreach control point it is indicated whether or not compliance isestablished. It is possible to make notes to the compliance statement.Users of the audit module may be central security officers requiringother parts of an organization to comply with various policies.Alternatively, the users may be employees who do self assessment oftheir policy compliance. Further alternatively, the users may beinternal or external auditors, who are auditing the security policycompliance of an organization.

A risk analysis module defines, structures and contains the content ofrisk analysis report. This includes physical and information basedassets, vulnerabilities, threats, risk or likelyhood of incidents, aswell as consequences when/if incidents happen. The Risk Analysis moduleis linked to ISO's so that ISO's can be selected i order to reduce riskif desired.

An incident module defines, structures, logs and contains the content ofsecurity incidents. This includes incidents to physical and informationbased assets. The incident module is linked to ISO's so that ISO's canbe selected in order to reduce risk of incident re-occuring if desired.The incident module links to the Risk analysis module so that historicallogged data can be used to improve accuracy of risk or likelyhood ofincidents in the Risk analysis module.

The database module contains the core data structures if the systemThese structures are implemented on a database platform which

-   -   Can be distributed as full runtime versions to deliver a “in a        box” type solutions.    -   Gives a high level of platform in-dependencies in order to solve        high security requirements.

The Management module includes:

-   -   Common user management routines for the three modules    -   User access and authentication modules.    -   Data maintenance routines and interfaces.

Admissions are authenticated at a higher level than end users, in orderto meet the requirements of easy access to end users and high securityin the system.

Using e-learning systems—online and offline—provides informationsecurity lessons with generic content to all—or to groups of—computerusers throughout any organisation.

Effects: Users gain better understanding of general information securityaspects and can operate their work place computer with increasedinformation security as a result.

Using e-learning systems—online and offline—provides informationsecurity lessons with organisation-specific content to all—or to groupsof—computer users throughout any organisation.

Effects: Users gain better understanding of the security policies,descriptions, procedures and requirements in the organisation of whichthey are a member. Users can process and work with organisation'sinformation security assets, e.g. documents, data, general informationsecurity aspects in an increased secure way, compared to if users havenot obtained this understanding through the invention.

Using multimedia, e.g. sound, speak, voices, animations, movingpictures, video recordings and recorded computer screen shots provideinformation security learning to computer users throughout theorganisation.

Effects: Users become increasingly motivated to learn informationsecurity and to return to the learning process for further increasedlearning.

Having general Information security content and questions inelectronically performed computer user surveys, the users receive theright security answers together with their own answers.

Effect: Survey participants become increasingly aware of the content inthe survey. Users learn security. A survey report or management reportscan be generated. A survey report can document the information securityawareness among the computer users in the organisation. The surveyresults can also be used to target succeeding education moreefficiently. The targeting can be done by groups of the organisation, orby individual.

The information security content is preferably provided as individual(for an organisational) Information security content and questions inelectronically performed computer user surveys.

Effects: Survey participants become increasingly aware of theorganisational-specific content in the survey. A survey report ormanagement reports can be generated. A survey report can document thespecific knowledge about the information security awareness among thecomputer users in the organisation. The survey results can also be usedto target succeeding education more efficiently. The targeting can bedone by groups of the organisation, or by individual.

The technique according to the invention provides information securityawareness, security lessons and security surveys targeted to computerusers throughout the organisation.

Effects: The weakest link in the information security link isstrengthened by the invention. The information security link consists oftechnology/products/systems as well as end user behaviour. End userswithout sufficient knowledge are the weakest link, and when strengthenedthrough the invention, end users can choose a secure behaviour whenworking and when using computers to process information assets.

Information security policies, Information security procedures,Information security instructions or, Information security rules aresaved in a relational database. These document types are modularised andsaved in a database as information security objects (ISO's) The objectscontain, for example, specific or general information security objectsand appropriate content or values of such objects.

EXAMPLE

Assume a traditional style security policy specifies user' behaviour tobe using password(s) with a certain minimum length, and assume thatlength is e.g. 6 characters long. In the relational database one recordwould be added with minimum the following information security objectcontent:

-   -   1) Content category is “user behaviour”,    -   2) descriptor is “passwords with a certain minimum length are        required to be used” and    -   3) the actual length which is required.    -   4) Target groups are “users” who need to set their password and        “it-staff” who needs to set computer systems to enforce the        minimum length

EXAMPLE 2

Assume a traditional style security policy stipulates rules for howusers shall treat information assets. On area of regulations is aboutemployees having papers and documents on the desktops. Users arerequired to clean their desktop for confidential papers by the end ofeach working day. In the relational database one record would be addedwith minimum the following information security object content:

-   -   1) Content category is “information asset handling”,    -   2) “rules for cleaning employees desktop for information, e.g.        documents and papers”    -   3) Employees must clean their desktop by the end of each working        day.    -   4) The target group is “office employees of Company XYZ, Inc. ”

Effect: Database based security policies, security procedures, securityinstructions, or security rules can be created, managed and be in othercontexts with less manual efforts compared to traditional securitypolicies and traditional policy management tools. The increasedeffectiveness also has the effect of increased information security toorganizations and to users as security policies, security procedures,security instructions, or security rules are foundations for improvedinformation security in organizations of any type.

The ISO's are stored in a database and are used as modular content fore.g. Information security policies, Information security procedures,Information security instructions, and Information security rules. TheISO's are assigned an unique identifier allowing organizations whichcreate and maintain e.g. security policies to link to the identifier.The ISO's are also assigned values for “default security level value”.The ISO's are also assigned a status value for each organization.

Effects: Increased re-use of ISO's, as organizations can choose andselect content without “re-writing” default ISO's to go into theirpolicies.

By specifying a default security level value for a specificorganisation, the invention makes is possible to automatically create adefault policy, simply by querying the default ISO's which match thedefault security level value of the organisation. The status value foreach ISO makes it possible for an management user of an organisation todefine values which sets the status. For example, ISO's with value “newsince last” or “ready for review” can be processed and can be assigned anew status e.g. “Current” meaning it now is a part of the currentpolicy. Similarly the status values can also have the effect ofidentifying which ISO's deliberately are not included in a policy, e.g.with the value “Unused”. The status value also makes it possible to addcustom content in an organisation's policies, since e.g. the value“Custom” can be used as such.

The content of the information security objects are utilised forautomatically generating relevant content of information securitysurveys. The ISO's which are also content in security policies areutilised for surveying e.g. user conformance, understanding, knowledgeand awareness of the defined and current security policies and ofinformation security aspects more general.

Effects: The surveys are generated much more effortless by re-usingISO's than by using traditional survey content and preparation methods.

The surveys contain more accurate and relevant content for the user.Organizations using this invention gain more accurate reporting ontopics of relevance and improved information security.

Example Content in Survey

The organisational specific parts of the survey are queried in theinformation security object database. Answer Question options RightAnswer Comment Does you company Yes/No As defined in have a set ofISO-DB security policies? How aware are Fully/well/ Not defined youabout the content some/ of the policies? not at all According to yourYes/No/Don't Yes if <Policy Repeat until all knowledge, does your knowCategory> is categories have company have policies found in been askedor rules about current policy “<Object Category>” According to yourYes/No/Don't Yes if Repeat until all knowledge, does your know<Information objects have company have a policy security been askedwhich defines object> is <information found in security object>” currentpolicy According to your List all Object The Object Repeat until allknowledge, what does Content Content which objects have the policy sayabout Templates for is defined been asked <information security theInformation in the Policy object>” security object. for this Informationsecurity object

For the general security knowledge part of Survey, the questions, answeroptions and right answers are managed by the Manager and Superuser in away similar to the Policy Management.

A survey consists of a link to a policy, a number of questions, answeroptions, and indication of the right answer option together with a scorefor each option. Default score for the right answer is 10 and defaultscore for wrong answers is 0. Questions are stored in a table in thesecurity object database.

The answers are stored in a table which links to the user, to thequestions and to the survey. If user requested to be anonymous, theanswers are added to answer consolidation tables which allow for theResult reports to be generated without saving individual user responses.

The ISO's are used as (part of) the content in security learning.

Effects: Users of the information learning system will be presented notonly with general knowledge, but also with the specific content of theorganisation they belong to.

Users will learn not only the general knowledge but will also learn whatISO's manager users have decided are relevant for the users to know intheir organization.

The ISO's are used as (part of) the content in audit reports. Auditreports link to specific security policies.

Effects: Internal or external auditors can audit specific securitypolicy compliance. Audit reports reflecting real security policies andtheir control points can be generated with less manual work efforts. Theinvention can auto generate control points based upon ISO's.

Content from the ISO's are linked with contents in risk analysis reports(RAR).

Effects: RAR's can identify risk areas and ISO's in security policiescan be used to reduce those risks, if desired by the organization and/orthe users. Policies made with this link become more targeted to reducereal risks than without the link.

The incident module is linked to ISO's. The incident module links to theRisk analysis module.

Effects: ISO's in security policies can be selected more efficiently andcan reduce risk of incident re-occuring if desired. Historical loggeddata can be used to improve accuract of risk or likelyhood of incidentsin the Risk analysis module.

The user settings and permissions which are defined in the managementmodule are re-used in the policy, survey and the education modules.

Effects: Users can without the need for repeating authenticationroutines (e.g. passwords) be educated and surveyed in e.g. securitypolicies, security instructions, security surveys, security learning.

In the acompanying drawings, a first and presently preferred embodimentof the computer system according to the present invention is shown.

In FIG. 1, a diagramatic view is shown illustrating the structure of thecomputer system and the software thereof comprising centrally aninformation security object database ISO-DB connected through respectiveinterfaces designated interface A, interface B, interface C andinterface D to a policy module, a survey module, an educational moduleand a management module, respectively. The modules are further connectedthrough respective interfaces to the users, either directly or through anetwork to the user PC's.

In FIG. 2, a route diagram is shown illustrating the security policycreation technique according to the present invention. It iscontemplated that the diagram and the text thereof is self-explanatoryand therefore, no detailed description of the diagram is presented.

In FIG. 3, a block diagramatic view of the security policy managementmethod and a system according to the present invention is shown. Theblock diagramatic view is contemplated to be self-explanatory andtherefore, no detailed description of the diagram is presented.

Although the present invention has been described with reference tospecific applications and a specific embodiment, the present inventionis also to be contemplated including any modification obvious to aperson having ordinary skill in the art and therefore, the scope of theinvention is to be considered in view of the apending claims.

1. A computer system for providing security awareness in anorganization, comprising: a memory means, constituted by a hard disk orRandom Access Memory device, a central processor unit connected to saidmemory means, an input device, constituted by a mouse or keyboarddevice, connected to said central processor unit, for the input of apiece of security information into said computer system for storing saidsecurity information in said memory means as an information securityobject, an output device, constituted by a printer or display device,connected to said central processor unit for the output of securityinformation, a policy module communicating with said input device andsaid memory means for the conversion of said piece of securityinformation into said information security object to be stored in saidmemory means, and a survey module communicating with said memory meansand said output means for generating from said information securityobject an element of a questionnary to be output by means of said outputdevice.
 2. The computer system according to claim 1, further comprisingan educational module communicating with said memory means for receivingthrough said input device a set of answers to said questionnary and forcomparing said set of answers of said questionary with said informationsecurity objects for determining the correct and the incorrect answers,and generating, based on said incorrect answers, an educational programto be output by means of said output device.
 3. The computer systemaccording to claim 2, said set of answers being stored in said memorymeans.
 4. The computer system according to any of the claims 1-3, saidmemory means being organized as a database.
 5. The computer systemaccording to any of the claims 1-3, said computer system constituting astand alone computer or alternatively a computer system including anetwork and a plurality of PC's each including an input device and anoutput device to be operated by a respective user.
 6. The computersystem according to any of the claims 1-3, said central processor unitcontrols in said conversion of said piece of said security informationinto said information security object, said policy module to check insaid memory means the possible presence of a corresponding securityinformation object.
 7. A method of providing security awareness in anorganization, comprising the steps of providing a piece of securityinformation, storing said piece of security information in a memorymeans as an information security object, said information securityobject being generated in a policy module, generating in a survey modulean element of a questionnary from said information security object andoutput said questionnary including said element.
 8. The method accordingto claim 7, further comprising the computer system according to any ofthe claims 1-3.